Unpacking is an essential initial step in malware analysis. As malware mutates, evolves, and propagates, so do the packers that are used to hide their intent from static analysis techniques. For the typical malware analyst, fighting against the vast array of packing methods can be challenging; it's almost impossible to know how every packer works. However, all packers have a common goal: to write code to memory and execute it.
We've created a tool named The Packer Attacker, which exploits this common feature that exists in all packers. From an injected DLL, The Packer Attacker uses memory and API hooks to monitor when a sample writes to its PE sections, allocates new memory, or executes within heap memory that has been given executable privileges. When any of these events culminate in a way that resembles expected packer behavior, the targeted memory page(s) are dumped to disk, accompanied by detailed logs of what caused the dump.
For it's memory hooks, The Packer Attacker limits access rights to tracked pages and uses a Vectored Exception Handler to catch ACCESS_VIOLATION exceptions when the memory is written to or executed. For it's API hooks, the tool uses Microsoft Research's Detours library. The injected DLL also will also propagate itself into new processes and track when code is unpacked to remote processes.
In our tests, The Packer Attacker has been able to pull full PE executables from actives samples of many high-profile malware families. In blind tests against an unknown variety of malware from a large malware repository, The Packer Attacker showed ~90% efficiency, defeating both known and unknown packers.
In this talk, we will cover the methods The Packer Attacker uses to instrument execution, monitor memory access, and detect PE modifications from userland. We will also cover the logical flow of the tool, explaining how it decides when behavior is indicative of a packer. After concluding the talk with a live demonstration on common malware, we will equip the audience to attack packers by supplying them with the GitHub repo that hosts The Packer Attacker's source code.
Source URL: https://github.com/nickcano/PackerAttacker

Vadim Kotov is a security researcher working with Bromium Labs. He has extensive experience in areas of reverse engineering, malware analysis and machine learning. Vadim holds a 5-year bachelor degree and PhD in computer science from USATU (Russia). His presented his research/published at such events as USENIX and Virus Bulletin. He also is an active blogger at the Bromium Labs Call of the Wild Blog.
Nick Cano is a senior security engineer at Bromium, where he develops software to detect and defend against advanced malware. He's been programming for most of his life, and wrote his code when he was 12 years old. Nick also has a history developing and selling bots for online games, advising game developers on how to protect against bots, and he is writing a book on Game Hacking that will be published by The No Starch Press.